Sovereign cloud: Protecting data in a complex regulatory environment

With data volumes increasing, it’s now common for data to be shared and stored across multiple jurisdictions

Though this can accelerate innovation and improve how we work, it also brings fresh concerns surrounding data sovereignty – a topic that’s come into the spotlight as we’ve become more aware of how organisations collect and store customer data.

In layman’s terms, data sovereignty is a legal principle which says that data is subject to the laws of the country in which it’s stored. It should be a key consideration for organisations that use the public cloud, as hyperscalers’ data centres can be located anywhere in the world.

A sovereign cloud, on the other hand, is cloud infrastructure that’s architected and built to comply with local laws on data privacy, access and control – and to avoid any conflicting regulatory demands. In practice, this means storing data in the country it was collected or using ‘virtual data spaces’ to enable cross-border data sovereignty, as we’ll explore below.

Let’s look at the current legal picture around data protection and examine how building a sovereign cloud can help organisations comply with often conflicting regulations.

Which data protection regulations apply to my organisation?

When your organisation operates across borders, complying with ever-changing data privacy regulations can prove challenging. To illustrate this, here’s a snapshot of the current regulatory landscape in the UK, EU and US.

1. Schrems II (EU and UK)

Until mid-2020, the US and EU participated in a joint Privacy Shield Agreement. This allowed US companies to receive personal data from the EU if they adhered to EU standards on data protection and privacy. However, in July 2020, the Court of Justice of the European Union invalidated this agreement due to concerns about surveillance by US law enforcement agencies. This landmark ruling is known as Schrems II.

Schrems II requires EU companies to conduct individual assessments of each data transfer to a non-EU country. Although the UK has left the EU, Schrems II currently still applies in this jurisdiction. This compels UK companies to find alternative safeguards to the invalidated Data Protection Shield to protect data flows between the UK and US.

2. GDPR (EU) and The DPA 2018 (UK)

The EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) 2018 are both designed to ensure transparency and security around customer data.

As a result, these regulations have implications for data sovereignty.

For example, under GDPR cloud providers must commit to only disclosing personal data based on legal requests made under EU law. For US-based hyperscalers, this creates a clear conflict with the US CLOUD Act (see below). Although hyperscalers can assure customers that their data will be stored within their chosen jurisdiction, they can’t guarantee complete protection from US law enforcement.

3. The CLOUD Act (USA)

In 2018, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act came into force. This legislation compels US cloud providers to hand over data to government or law enforcement agencies if requested via a warrant, subpoena or court order – even if the data in question is stored in another country.

4. The COPO Act 2019 (UK) and Article 49 of GDPR (EU)

It’s worth noting that the UK and EU both have equivalent legislation to the CLOUD Act in place. In the UK, this is the Crime (Overseas Production Orders) (COPO) Act 2019, and in the EU it’s Article 49 of GDPR.

The UK’s COPO Act contains similar principles to the CLOUD Act. However, it goes even further by enabling authorities to compel any cloud provider operating outside the UK to release data to them – provided that the UK has signed a Designated International Cooperation Agreement (DICA) with the country in question.

Looking forward, it’s likely we’ll see more countries enacting similar legislation, with international organisations potentially having to juggle conflicting legal obligations.

5. GAIA-X (EU)

Currently in its implementation phase, the GAIA-X Framework has been developed by businesses, government officials and scientists across Europe. It provides the foundation for a networked system that links many cloud services providers together, in which data is decentralised and federated using next-generation infrastructure and security standards.

Implementing sovereign cloud

Given this complex regulatory landscape, it’s no surprise that organisations’ interest in sovereign cloud is growing. There are two routes available to them – either turning to a regional storage provider that operates within specific national borders or building their own sovereign cloud using on-premises private cloud storage. However, this doesn’t mean organisations need to give up on hyperscalers.

Often a hybrid, multi-cloud strategy –combining private and public clouds – is the best approach. This way, organisations can leverage the right cloud for the right workload and take advantage of the breadth of services offered by different cloud providers.

For organisations that still need to move data between countries, so-called ‘virtual data spaces’ are emerging to enable cross-border data sovereignty. These depend on data relationships between trusted partners – data providers, users, intermediaries, etc. – with the same high standards for storing and sharing data. Crucially, the data in question is stored at its source and is only moved between locations when strictly necessary.

The role of object storage in creating a sovereign cloud

Whether organisations build their own sovereign cloud or work with service providers that can offer this, the key enabler for these clouds remains the same – object storage.

Why? First and foremost, object storage is significantly more scalable and cost-effective than block or file storage.

What’s more, object storage provides S3 API compatibility. Because the S3 API has become the de-facto cloud standard, sovereign clouds with S3-compatible storage infrastructure can speak the same language as the public cloud, enabling easy data mobility.

Object storage also features automated data protection and, increasingly, protection against ransomware through data immutability and encryption. Data immutability prevents cybercriminals from altering or deleting data, enabling quick recovery of that data in theevent of a ransomware attack, without having to pay ransom. Encryption prevents hackers from reading data or making it public in any intelligible way, eliminating the other form of ransomware extortion.

The bottom line?

As the data economy flourishes, organisations must keep up with laws and regulations impacting data sovereignty and ensure they stay in compliance. Sovereign clouds with an object storage foundation are the best way to do so. If an organisation lacks the expertise to create its own sovereign cloud, local service providers can fill the gap.

About the Author

Neil Stobart is VP of Global System Engineering for Cloudian. Cloudian is the leader in data management software for the hybrid cloud. With military-grade security, limitless scalability and seamless cloud integration, Cloudian’s S3-compatible object storage lets users optimize data access, meet data sovereignty requirements and cut costs by consolidating information to a single, cloud-like platform. Cloudian’s geo-distributed architecture manages and protects object and file data at the edge, core, and in the cloud—for both conventional and modern applications. Learn more at